Sigh. We've had this bug before (it isn't a security hole btw.). at the SNIA plugfest Codenomicon showed a bad OID sent in a NegTokenInit can cause asn1_read_OID() to fail to read an OID string without setting asn1->has_error in the data ASN.1 structure.
The OID array in the function definition :
bool spnego_parse_negTokenInit(TALLOC_CTX *ctx,
DATA_BLOB blob,
char *OIDs[ASN1_MAX_OIDS],
char **principal,
DATA_BLOB *secblob)
is a BAD interface. And we should always set OIDs[0...ASN1_MAX_OIDS-1] = NULL
before attempting to do any parsing, in the same way we set *principal = NULL and *secblob = data_blob_null.
Patches to follow. More when I have coordinated with Codenomicon to get a packet trace of the exact packet that caused the problem.
Jeremy.

Created attachment 7943[details]
Patch for all releases.
As previously mentioned, this isn't the completely correct patch but will fix this generic uninitialized free error once and for all, and once I have the packet trace from Codenomicon I will fix the underlying issue.
This patch applies to all released versions - 4.0.0rc, 3.6.next and 3.5.next.
Jeremy.